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Abstract 

In this note, we give a quantum algorithm that finds collisions in arbi- 
trary r-to-one functions after only 0(\/ N/r ) expected evaluations of the 
function. Assuming the function is given by a black box, this is more effi- 
cient than the best possible classical algorithm, even allowing probabilism. 
We also give a similar algorithm for finding claws in pairs of functions. 
Furthermore, we exhibit a space-time tradeoff for our technique. Our 
approach uses Grover's quantum searching algorithm in a novel way. 

1 Introduction 



A collision for function F : X —>■ Y consists of two distinct elements Xo,X\ G X 
such that F(xq) = F(xi). The collision problem is to find a collision in F under 
the promise that there is one. 

This problem is of particular interest for cryptology because some functions 
known as hash functions are used in various cryptographic protocols. The secu- 
rity of these protocols depends crucially on the presumed difficulty of finding 
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collisions in such functions. A related question is to find so-called claws in pairs 
of functions; our quantum algorithm extends to this task. This has consequences 
for the security of classical signature and bit commitment schemes. We refer the 
interested reader to || for general background on cryptography, which is not 
required for understanding our new collision-finding algorithm. 

A function F is said to be r -to- one if every element in its image has exactly 
r distinct preimages. We assume throughout this note that function F is given 
as a black box, so that it is not possible to obtain knowledge about it by any 
other means than evaluating it on points in its domain. When F is two-to-one, 
the most efficient classical algorithm possible for the collision problem requires 
an expected Q(y/~N ) evaluations of F, where N = \X\ denotes the cardinality of 
the domain. This classical algorithm, which uses a principle reminiscent of the 
birthday paradox, is reviewed in the next section. 

Recently, at a talk held at AT&T, Eric Rains asked if it is possible to do 
better on a quantum computer. In this note, we give a positive answer to this 
question by providing a quantum algorithm that finds a collision in an arbitrary 
two-to-one function F after only O(tfN) expected evaluations. 

Earlier, Simon addressed the xoR-mask problem defined as follows. 
Consider integers m > n. We are given a function F : {0, 1}™ — ► {0, l} m and 
promised that either F is one-to-one or it is two-to-one and there exists 
an s G {0, 1}™ such that F(xq) = F(x{) if and only if xq © X\ = s, for all distinct 
xq,x\ G {0, l} n , where © denotes the bitwise exclusive-or. Simon's problem is 
to decide which of these two conditions holds, and to find s in the latter case. 
Note that finding s is equivalent to finding a collision in the case that F is 
two-to-one. Simon gave a quantum algorithm to solve his problem in expected 
time polynomial in n and in the time required to compute F. The running 
time required for this task on a quantum computer was recently improved to 
being worst-case (rather than expected) polynomial time thanks to a more so- 
phisticated algorithm ||. Simon's algorithm is interesting from a theoretical 
point of view because any classical algorithm that uses only sub-exponentially 
(in n) many evaluations of F cannot hope to distinguish between the two types 
of functions significantly better than simply by tossing a coin, assuming equal 
a priori probabilities ]7[ |3] . Unfortunately, the xoR-mask constraint when F is 
two-to-one is so restrictive that Simon's algorithm has not yet found a practical 
application. 

More recently, Grover || discovered a quantum algorithm for a different 
searching problem. We are given a function F : X — > {0, 1} with the promise 
that there exists a unique xq G X so that F(xq) = 1, and we are asked to find Xq. 
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Provided the domain of the function is of cardinality a power of two (N = 2 n ), 
Grover gave a quantum algorithm that finds the unknown x with probability 
at least 1/2 after only 0(a//V) evaluations of F. 

A natural generalization of this searching problem occurs when F : X — > Y 
is an arbitrary function. Given some y Q G Y, we are asked to find an x G X such 
that F(x) = yo, provided such an x exists. If t — \{x G X \ F(x) = yo}\ denotes 
the number of different solutions, [I] gives a generalization of Grover's algorithm 
that can find a solution whenever it exists (t > 1) after an expected number of 
0{yN/t) evaluations of F. Although the algorithm does not need to know the 
value of t ahead of time, it is more efficient (in terms of the hidden constant in 
the O notation) when t is known, which will be the case for most algorithms 
given here. From now on, we refer to this generalization of Grover's algorithm 
as Grover (F, y ). Note that the number of evaluations of F is not polynomially 
bounded in logiV when t <C iV; nevertheless Grover's algorithm is considerably 
more efficient than classical brute-force searching. 

In the next section, we give our new quantum algorithm for solving the 
collision problem for two-to-one functions. We then discuss a straightforward 
generalization to r-to-one functions and even to arbitrary functions whose image 
is sufficiently smaller than their domain. A natural space-time tradeoff emerges 
for our technique. Finally, we give applications to finding claws in pairs of 
functions. 

2 Algorithms for the collision problem 

We first state two simple algorithms for the collision problem, one classical and 
one quantum. Both of these algorithms use an expected number of 0(\/N) 
evaluations of the given function, but the quantum algorithm is more space 
efficient. We derive our improved algorithm from these two simple solutions. 

The first solution is a well-known classical probabilistic algorithm, here stated 
in slightly different terms than traditionally. The algorithm consists of three 
steps. First, it selects a random subset K C X of cardinality k = c\f~N for an 
appropriate constant c. Then, it computes the pair (x, F(x)) for each x G K and 
sorts these pairs according to the second entry. Finally, it outputs a collision 
in K if there is one, and otherwise reports that none has been found. Based on 
the birthday paradox, it is not difficult to show that if F is two-to-one then this 
algorithm returns a collision with probability at least 1/2 provided c is sufficiently 
large (c ~ 1.18 will do). If we take a pair (x,F(x)) as unit of space then the 
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algorithm can be implemented in space ©(-v/iV), and 0(x/iV) evaluations of F 
suffice to succeed with probability 1/2. If we care about running time rather 
than simply the number of evaluations of F, it may be preferable to resort to 
universal hashing 0] rather than sorting to find a collision in K. This would 
avoid spending ®(\/N\og N) time sorting the table, making possible a 0(a//V) 
overall expected running time if we assume that each evaluation of F takes 
constant time. We stick to the sorting paradigm for simplicity and because it is 
not clear if the benefits of universal hashing carry over to quantum parallelism 
situations such as ours. We come back to this issue in Section || 

The simple quantum algorithm for two-to-one functions also consists of 
three steps. First, it picks an arbitrary element Xq G X. Then, it com- 
putes X\ = Grover(iJ, 1) where H : X — > {0, 1} denotes the function defined 
by H(x) = 1 if and only if x ^ x and F(x) = F(x ). Finally, it outputs the col- 
lision {xq,Xi}. There is exactly one i6l that satisfies H(x) — 1 so t = 1, and 
thus the expected number of evaluations of F is also O(VN), still to succeed 
with probability 1/2, but constant space suffices. 

Our new algorithm, denoted Collision and given below, can be thought of 
as the logical union of the two algorithms above. The main idea is to select a 
subset K of X and then use Grover to find a collision {xq, X\} with x$ E K and 
x\ G X \ K. The expected number of evaluations of F and the space used by 
the algorithm are determined by the parameter k = \K\, the cardinality of K. 

Collision(F, k) 

1. Pick an arbitrary subset K C X of cardinality k. Construct a table L of 
size k where each item in L holds a distinct pair (x, F(x)) with x G K. 

2. Sort L according to the second entry in each item of L. 

3. Check if L contains a collision, that is, check if there exist distinct elements 
(xo, F(xq)), (x\, F(xx)) G L for which F(xq) = F(xi). If so, goto step |J 

4. Compute x\ = Grover (H, 1) where H : X — ► {0, 1} denotes the func- 
tion defined by H(x) = 1 if and only if there exists x Q G K so that 
(xq,F(x)) G L but x 7^ x . (Note that x is unique if it exists since we 
already checked that there are no collisions in L.) 

5. Find (x ,F(xi)) G L. 

6. Output the collision {x ,Xi}. 
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Theorem 1 Given a two-to-one junction F : X —>Y with N = \X\ and an in- 
teger 1 < k < N , algorithm Collision(F, k) returns a collision after an expected 
number ofO(k+ ^jN/k ) evaluations of F and uses space &(k). In particular, 
when k = \/iV then Collision (F, k) evaluates F an expected number of 0(\fN ) 
times and uses space 0(\/iV ). 

Proof The correctness of the algorithm follows easily from the definition of H 
and the construction of Grover (if, 1). 

We now count the number of evaluations of F. In the first step, the algorithm 
uses k such evaluations. Set t = \{x G X \ H(x) — 1}|. By the previous section, 
subroutine Grover in step [| uses an expected number of 0{yN/t) evaluations 
of the function H to find one of the t solutions. Each evaluation of H can be im- 
plemented by using only one evaluation of F. Finally, our algorithm evaluates F 
once in the penultimate step, giving a total expected number of k + 0(y/N/t ) + 1 
evaluations of F. Since F is two-to-one, t equals the cardinality of K, that is, 
t = k, and the first part of the theorem follows. The second part is immediate. 

□ 

In a nutshell, the improvement of our algorithm over the simple quantum 
algorithm is achieved by trading time for space. Suppose the cardinality of set K 
is large. Then the expected number of evaluations of H used by subroutine 
Grover (if, 1) is small, but on the other hand more space is needed to store 
table L. Analogously, if K is small then the space requirements are less but also 
Grover (ii, 1) runs slower. 

Suppose now that we apply algorithm Collision, not necessarily on a 
two-to-one function, but on an arbitrary r-to-one function where r > 2. Then 
we have the following theorem, whose proof is essentially the same as that of 
Theorem IB. 

Theorem 2 Given an r-to-one function F : X — > Y with r > 2 and an integer 
1 < k < N = \X\, algorithm Collision(F, k) returns a collision after an expected 
number ofO(k + yWj (rk) ) evaluations of F and uses space &(k). In particular, 
when k= \fWJr then Collision(F, k) uses an expected number of 0(\/N/r) 
evaluations of F and space 0(yiV/r ). 

Note that algorithm Collision(F, k) can also be applied on an arbitrary func- 
tion F : X — > Y for which \X\ > r\Y\ for some r > 1, even if F is not r-to-one. 
However, the algorithm must be modified in two ways for the general case. First 
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of all, the subset K C X of cardinality k must be picked at random, rather than 
arbitrarily, at step [l]. Furthermore, the fully generalized version of Grover's 
algorithm given in [IjJ must be used at step [| because the number of solutions 
for Grover(iJ, 1) is no longer known in advance to be exactly t — (r — l)k. 

By varying k in Theorem |2], the following space-time tradeoff emerges. 

Corollary 3 There exists a quantum algorithm that can find a collision in an 
arbitrary r-to-one function F : X — > Y , for any r > 2, using space S and an 
expected number of 0(T) evaluations of F for every 1 < S < T subject to 

ST 2 > \F(X)\ 

where F(X) denotes the image of F. 

Consider now two functions F : X — > Z and G : Y — > Z that have the same 
codomain. By definition, a claw is a pair x G X , y 6 Y such that F(x) = G(y). 
Many cryptographic protocols are based on the assumption that there are 
efficiently-computable functions F and G for which claws cannot be found effi- 
ciently even though they exist in large number. 

The simplest case arises when both F and G are bijections, which is the usual 
situation when such functions are used to create unconditionally-concealing bit 
commitment schemes If N — \X\ = \Y\ = \Z\, algorithm Collision is easily 
modified as follows. 

Claw(F, G, k) 

1. Pick an arbitrary subset K C X of cardinality k. Construct a table L of 
size k where each item in L holds a distinct pair (x, F(x)) with x G K. 

2. Sort L according to the second entry in each item of L. 

3. Compute yo = Grover(if, 1) where H : Y — > {0, 1} denotes the function 
defined by H(y) = 1 if and only if a pair (x, G(y)) appears in L for some 
arbitrary x G K. 

4. Find (x ,G(y ))eL. 

5. Output the claw (xo,yo)- 
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Theorem 4 Given two one-to-one functions F : X — > Z and G :Y — > Z with 
N = \X\ = \Y\ = \Z\ and an integer 1 < k < N, algorithm Claw(.F, G, k) 
returns a claw after k evaluations of F and 0{-^/N~[k) evaluations of G, and 
uses space Q(k). In particular, when k = then C\&w(F,G,k) evaluates F 
and G an expected number of 0{\/N ) times and uses space B(v / 7V ). 

Proof Similar to the proof of Theorem [l]. □ 

The case in which both F and G are r-to-one for some r > 2 and 
N = \X\ = \Y\ = r\Z\ is handled similarly. However, it becomes necessary in 
step [l] of algorithm Claw to select the elements of K so that no two of them are 
mapped to the same point by F . This will ensure that the call on Grover(if, 1) 
at step |3] has exactly kr solutions to choose from. The simplest way to choose K 
is to pick random elements in X until = k. As long as k < \Z\/2, this 

requires trying less than 2k random elements of X, except with vanishing prob- 
ability. The proof of the following theorem is again essentially as before. 

Theorem 5 Given two r-to-one functions F : X —>■ Z and G : Y — » Z with 
N = \X\ = \Y\ — r\Z\ and an integer 1 < k < N/2r, modified algorithm 
Claw(F, G, k) returns a claw after an expected number of Q(k) evaluations 
of F and 0(^/N/ (rk) ) evaluations of G, and uses space Q(k). In particular, 
when k = y N/r then Claw(F, G, k) evaluates F and G an expected number of 
0(\/N/r) times and uses space Q(\/N/r ). 

3 Discussion 

When we say that our quantum algorithms require 0(fc) space to hold table L, 
this corresponds unfortunately to the amount of quantum memory, a rather 
scarce resource with current technology. Note however that this table is built 
classically in the initial steps of algorithms Collision and Claw: it needs to 
live in quantum memory for read purposes only. In practice, it may be easier to 
build large read-only quantum memories than general read/write memories. 

We considered only the number of evaluations of F in the analysis of algo- 
rithm Collision. The time spent sorting L and doing binary search in L should 
also be taken into account if we wanted to analyse the running time of our algo- 
rithm. If we assume that it takes time T to compute the function (rather than 
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assuming that it is given as a black box), then it is straightforward to show that 
the algorithm given by Theorem ^| runs in expected time 

0((k+y/N/(kr))(T + \ogk)). 

Thus, the time spent sorting is negligible only if it takes f2(log/c) time to com- 
pute F. Similar considerations apply to algorithm Claw. It is tempting to try 
using universal hashing to bypass the need for sorting, as in the simple classical 
algorithm, but it is not clear that this approach saves time here because our 
use of quantum parallelism when we apply Grover's algorithm will take a time 
that is given by the maximum time taken for all requests to the table, which is 
unlikely to be constant even though the expected average time is constant. 
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